tools-claude-code-teams-mcp

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Moderately suspicious: the workflow pulls and executes code directly from a GitHub repository under an unfamiliar account (via git+https/uvx), which can run arbitrary code, while the localhost URL is not a remote download but is used to host/run that potentially untrusted code locally.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's orchestrator and core workflow explicitly poll and ingest teammate/session messages from the opencode server (see scripts/opencode-teams-orchestrator.py get_messages / prompt_async and SKILL.md instructions to use claude-teams_read_inbox and act—including sending shutdown_request—based on message content), which are untrusted user-generated messages that can directly drive tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The opencode config's command uses "uvx --from git+https://github.com/cs50victor/claude-code-teams-mcp" which will fetch and execute remote code from that GitHub repo at runtime and is required for the opencode/claude-teams backend, so this URL is a runtime-executed external dependency.